Skip to content

[TECHNICAL] SBOM changes to be pushed in an specific branch with signed commits#4837

Open
jesmrec wants to merge 3 commits intomasterfrom
technical/adapt_sbom_workflow_signed_commits
Open

[TECHNICAL] SBOM changes to be pushed in an specific branch with signed commits#4837
jesmrec wants to merge 3 commits intomasterfrom
technical/adapt_sbom_workflow_signed_commits

Conversation

@jesmrec
Copy link
Copy Markdown
Contributor

@jesmrec jesmrec commented Apr 27, 2026
edited
Loading

New logic of the workflow:

  • After merging a PR into master, the workflow is triggered
  • cycloneDx generates an SBOM over the new HEAD of master
  • Fetch the existing sbom file in the chore/sbom-update branch, if the branch exists. If not, get the origin/master one. The idea is getting the newest version to compare with
  • Both sbom files (the one generated in the workflow and the existing one to compare) are normalized and sorted to be compared using jq, in order to know if there are changes or not.
    • If there are changes -> create/update chore/sbom-update
    • If there are no changes -> stop
  • Added a manual dispatch in case dependencies are updated inside of a release branch, with target branch as parameter and master as default
  • Removed concurrency policy. Every PR must trigger the workflow to check dependencies.
  • Added an step to the release template to merge the sbom branch before creating release branch

Related Issues

App:

  • Add changelog files for the fixed issues in folder changelog/unreleased. More info here
  • Add feature to Release Notes in ReleaseNotesViewModel.kt creating a new ReleaseNote() with String resources (if required)

QA

@jesmrec jesmrec self-assigned this Apr 27, 2026
@jesmrec jesmrec force-pushed the technical/adapt_sbom_workflow_signed_commits branch 3 times, most recently from a00da5b to be8c3e2 Compare April 27, 2026 11:18
@jesmrec jesmrec marked this pull request as ready for review April 27, 2026 12:28
@jesmrec
Copy link
Copy Markdown
Contributor Author

jesmrec commented Apr 28, 2026
edited
Loading

Moving to "In progress" again to inspect an issue before reviewing @joragua @DeepDiver1975

@jesmrec jesmrec force-pushed the technical/adapt_sbom_workflow_signed_commits branch 2 times, most recently from 4d0dcb2 to 531a27d Compare April 28, 2026 13:05
@jesmrec jesmrec added this to the 4.8 - Current milestone Apr 28, 2026
@jesmrec
Copy link
Copy Markdown
Contributor Author

jesmrec commented Apr 28, 2026

Ready for review again!

joragua
joragua requested changes Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@joragua joragua left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Somme comments here @jesmrec!

Comment thread .github/workflows/sbom.yml
Comment thread .github/workflows/sbom.yml Outdated
@jesmrec jesmrec force-pushed the technical/adapt_sbom_workflow_signed_commits branch from 531a27d to c5a3d1b Compare April 29, 2026 15:49
@jesmrec jesmrec requested a review from joragua April 29, 2026 15:56
DeepDiver1975
DeepDiver1975 reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@DeepDiver1975 DeepDiver1975 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Review: SBOM Workflow — Signed Commits to Dedicated Branch

Overview

This PR restructures the SBOM generation CI workflow to address security policy requirements. Key changes:

  • Workflow now triggers only on master pushes (previously: all feature/fix/etc. branches)
  • Replaced direct commit push with peter-evans/create-pull-request to maintain a chore/sbom-update branch
  • Added sign-commits: true for verified commits
  • Improved output variable naming (changes=true/false vs inverted no_changes)
  • Added manual dispatch with configurable target_branch
  • Added release template step to merge the SBOM branch before cutting a release

Code Quality & Style

Improvements:

  • Cleaner boolean semantics: changes=true/false is much more readable than the old no_changes=true/false
  • Conditional token generation (if: steps.compare.outputs.changes == 'true') avoids unnecessary API calls — good practice
  • All action pins use commit SHAs — secure
  • Comparison logic is well-documented with inline comments

Issues:

  1. Missing error fallback in git show — This is a regression. The old code had || echo '{}' > sbom_prev.json; the new code does not:

    git show "$PREVIOUS_SBOM_REF:sbom.json" > sbom_prev.json

    If sbom.json doesn't exist on origin/master (e.g., first run, or on a freshly dispatched non-master target_branch), the workflow will fail hard instead of gracefully treating it as an empty/new SBOM.

  2. fetch-depth: 2 is now vestigial — This was needed for the old HEAD~1 comparison. Now that comparison is done against remote branches, depth 2 provides no benefit. Minor cleanup opportunity.

  3. Hardcoded FALLBACK_BRANCH="master" — When dispatching manually with a custom target_branch, the fallback for comparison is still master, not the target branch. This may be intentional (always compare against master as the source of truth), but deserves a comment explaining the reasoning.

Logic & Correctness

  1. No concurrency policy + push to master — The PR description says "Removed concurrency policy. Every PR must trigger the workflow." But with the trigger now being push: branches: [master], rapid consecutive merges to master could create race conditions where two workflow runs both try to create/update chore/sbom-update. The peter-evans/create-pull-request action handles the "update existing PR" case, but concurrent git operations on the same branch without a concurrency guard can still cause conflicts. Consider re-adding a concurrency group scoped to the source branch:

    concurrency:
  group: sbom-update
  cancel-in-progress: false

  2. Infinite loop potential — low risk but worth documenting — When chore/sbom-update is merged into master, the workflow triggers again. Because delete-branch: true removes the branch on merge, the fallback to origin/master will be used, and the generated SBOM should match master's SBOM exactly → changes=false → workflow stops cleanly. This is correct behavior, but it's non-obvious and worth a brief comment in the workflow.

Security

  1. sign-commits: true requires App configuration — This is the core security improvement, but sign-commits: true in peter-evans/create-pull-request requires the GitHub App to have commit signing configured at the organization level. If SBOM_APP_ID/SBOM_APP_PRIVATE_KEY don't have the required permissions, this will fail silently or with a cryptic error. Confirm the App has been granted signing capabilities.

  2. permissions: contents: write — Broad but carried over from the previous version; no regression.

Minor

  1. Typo in changelog entry (changelog/unreleased/4837):

    "pushing them to an specific branch"

    Should be "a specific branch."

Summary

Area Status
Core logic Correct
Security improvement Solid — signed commits via App token is the right approach
Regression risk git show lacks the old || echo '{}' fallback
Race condition Possible without concurrency guard
Cleanup fetch-depth: 2 vestigial

The overall approach is sound and the goal (signed, auditable SBOM commits) is well-implemented. The main items to address before merging are the missing git show error fallback and clarifying the concurrency strategy.

@jesmrec jesmrec force-pushed the technical/adapt_sbom_workflow_signed_commits branch from c5a3d1b to 2a28721 Compare April 30, 2026 07:04
@jesmrec
Copy link
Copy Markdown
Contributor Author

jesmrec commented Apr 30, 2026

Issues

  1. Missing error fallback in git show — This is a regression. The old code had || echo '{}' > sbom_prev.json; the new code does not:
    git show "$PREVIOUS_SBOM_REF:sbom.json" > sbom_prev.json
    If sbom.json doesn't exist on origin/master (e.g., first run, or on a freshly dispatched non-master target_branch), the workflow will fail hard instead of gracefully treating it as an empty/new SBOM.

I think it can be safety assumed that origin/master will always contain an sbom.json file.

  1. fetch-depth: 2 is now vestigial — This was needed for the old HEAD~1 comparison. Now that comparison is done against remote branches, depth 2 provides no benefit. Minor cleanup opportunity.

right, removed.

3.Hardcoded FALLBACK_BRANCH="master" — When dispatching manually with a custom target_branch, the fallback for comparison is still master, not the target branch. This may be intentional (always compare against master as the source of truth), but deserves a comment explaining the reasoning.

comment added

4.No concurrency policy + push to master — The PR description says "Removed concurrency policy. Every PR must trigger the workflow." But with the trigger now being push: branches: [master], rapid consecutive merges to master could create race conditions where two workflow runs both try to create/update chore/sbom-update. The peter-evans/create-pull-request action handles the "update existing PR" case, but concurrent git operations on the same branch without a concurrency guard can still cause conflicts. Consider re-adding a concurrency group scoped to the source branch:

concurrency added again to create a queue in case more than one execution tries to write in the branch at the time.

  1. Infinite loop potential — low risk but worth documenting — When chore/sbom-update is merged into master, the workflow triggers again. Because delete-branch: true removes the branch on merge, the fallback to origin/master will be used, and the generated SBOM should match master's SBOM exactly → changes=false → workflow stops cleanly. This is correct behavior, but it's non-obvious and worth a brief comment in the workflow.

SBOM updates will never change SBOM content. no action required, IMO

  1. sign-commits: true requires App configuration — This is the core security improvement, but sign-commits: true in peter-evans/create-pull-request requires the GitHub App to have commit signing configured at the organization level. If SBOM_APP_ID/SBOM_APP_PRIVATE_KEY don't have the required permissions, this will fail silently or with a cryptic error. Confirm the App has been granted signing capabilities.

permissions are granted from the proper github app. Nothing to do here.

  1. permissions: contents: write — Broad but carried over from the previous version; no regression.

👍

  1. Typo in changelog entry (changelog/unreleased/4837):

Fixed

@DeepDiver1975

@jesmrec jesmrec requested a review from DeepDiver1975 April 30, 2026 07:05
joragua
joragua approved these changes Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@joragua joragua left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job @jesmrec! 🚀

@jesmrec jesmrec force-pushed the technical/adapt_sbom_workflow_signed_commits branch from 2a28721 to 4e63507 Compare April 30, 2026 12:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joragua joragua joragua approved these changes

@DeepDiver1975 DeepDiver1975 Awaiting requested review from DeepDiver1975

Assignees

@jesmrec jesmrec

Labels

Estimation - 2 (S) GitHub Actions

Projects

None yet

Milestone

4.8 - Current

Development

Successfully merging this pull request may close these issues.

3 participants

@jesmrec @DeepDiver1975 @joragua